Next Wave in Security: Protecting Smart Phones, PDAs

By Brian Prince  |  Posted 02-09-2007

SAN FRANCISCO—With the number of employees using smart phones and other mobile devices, corporations must start to focus their security on more than just their network perimeter, according to security analysts and specialists attending the RSA Conference here.

Research done by the Business Forum Management Program in 2006 found that roughly 49 percent of the 680 executives surveyed are "mobile" or "very mobile," and about 80 percent plan to increase the number of mobile devices used in the next few years.

And even though a quarter of the respondents reported having critical data stored on mobile devices, 40 percent said they have no security and compliance measures in place to protect data on those devices. In addition, just 17.2 percent said they are very concerned about a breach in their company's mobile communications—almost the same amount that reported being unconcerned.

Read more here about the need for companies to secure their mobile work force.

The next wave in security will deal with protecting items such as smart phones, said Curtis Cresta, vice president and general manager of North American Operations for F-Secure. Smart phones, he said, are easier to maintain and cost less than laptops, making them increasingly attractive to enterprises. In the past several months, there has been an uptick in interest in security features for smart phones among larger corporations, he added.

"Imagine what the CEO has on here," said Cresta, holding his smart phone in his hand.

In other regions, such as Asia and Europe, the widespread use of business applications on mobile phones has already begun, noted Gartner analyst John Pescatore. With the increased presence of applications on cell phones, the threat of Web-based attacks becomes less theoretical, he said.

"It's definitely become a much more real threat in 2007," Pescatore said, adding that he expects enterprises in North America to start worrying around the end of this year and into the next.

Even at the RSA Conference—an event that draws thousands of computer-savvy users—many attendees were operating their wireless devices insecurely. AirDefense, a wireless security company, found more than half of the 347 wireless devices it monitored at the conference on Feb. 6—including laptops, PDAs and phones—were susceptible to "Evil Twin" types of attacks.

An "Evil Twin" attack is a technique whereby an attacker tricks victims into connecting via their laptop or PDA to a malicious server that is posing as a legitimate hot spot.

Want to avoid "Evil Twin" attacks? Read Larry Seltzer's column.

"There is a lot of user education that needs to go into wireless that isn't being done," said Richard Rushing, chief security officer of AirDefense.

In fact, many people place such a premium on convenience that they overlook the security risks inherent with wireless Internet connections, Rushing said. Mobile phones are just another device that needs to be secured, he said.

To Pescatore, the solution to battling the intrusion of malware into smart phones does not lie with software. There are too many platforms and far too much turnover of devices, he said. Instead, at least in the short term, corporations need proper policies to govern use of wireless devices and to educate their staffs.

The ultimate solution involves getting the carriers to provide services to fight malware and drive security filtering onto mobile devices, he said.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis.